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(57) ABSTRACT 

Features of a data processing system, such as its 
configuration, are protected utilizing a machine-specific 
limited-life password. The data processing system includes 
execution resources for executing a watchdog program, a 
limited-life value generator, and non-volatile storage that 
stores a machine -specific value at least partially derived 
from relatively unique information associated with the data 
processing system (and preferably also derived from a secret 
control password). In response to each attempted access to 
the protected features of the data processing system, the 
watchdog program generates at least one machine-specific 
limited-life password from the machine -specific value and a 
limited-life value generated by the limited-life value gen- 
erator. The watchdog program allows access to the protected 
features in response to entry of the machine -specific limited - 
life password and otherwise denies access. Depending upon 
implementation, the limited-life value can represent a times- 
tamp that limits the duration that the machine-specific 
limited-life value is valid or a nonce that limits the number 
of times that the machine-specific limited-life value can be 
used. 

31 Claims, 6 Drawing Sheets 
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METHOD AND SYSTEM FOR PROVIDING 
LIMITED-LIFE MACHINE-SPECIFIC 
PASSWORDS FOR DATA PROCESSING 
SYSTEMS 

CROSS-REFERENCE TO RELATED 
APPLICATION 

This application is related to the following co-pending 
applications: 

(1) Sen No. 09/052,554, entitled "Method and Apparatus 
for Establishing Computer Configuration Protection Pass- 
words for Protecting Computer Configurations," filed Mar. 
31, 1998, and incorporated herein by reference; and 

(2) Ser. No. 09/262,124, entitled "Method and System for 
Password Protection of a Data Processing System that 
Permit a User-Selected Password to Be Recovered," filed 
Mar. 3, 1999, and incorporated herein by reference. 

BACKGROUND OF THE INVENTION 

1. Technical Field 

The present invention relates in general to data processing 
and in particular to password protection of data processing 
systems. Still more particularly, the present invention relates 
to a method and system for providing password protection 
for data processing systems through the use of limited -use 
machine-specific passwords. 

2. Description of the Related Art 

Atypical corporate environment includes a distributed 
collection of laptop and/or desktop computers that are each 
assigned to a particular user who is responsible for his or her 
computer. Even though the individual users are entrusted 
with "ownership" of their respective machines, the comput- 
ers are all typically administered by a centralized adminis- 
trative department. Frequently, the administrative 
department, prior to distribution of a computer to a user, 
initializes the computer with hardware settings, software 
configurations, and other critical parameters that it is desir- 
able for the user not to alter. For this reason, in addition to 
conventional power-on passwords (POPs), such centrally 
administered computers can also have secondary adminis- 
trative password that must be entered into the computer 
before the critical settings of the computer can be changed. 
These administrative passwords are given to users only as 
needed, typically when the administrative department's help 
desk is assisting a user in rectifying a computer problem. 

In order to enhance the security of administrative 
passwords, it is desirable for the administrative password of 
each computer in a collection of computers to be unique. 
However, the administrative password for a computer 
should not be related to the computer in a manner that 
permits the administrative password to be easily deduced. 
The first co -pending application referenced above describes 
a method and apparatus for establishing administrative pass- 
words that satisfies these requirements by providing 
computer-specific administrative passwords that cannot eas- 
ily be deduced from information known about the computer. 

Despite the high level of administrative password security 
provided by the invention described in the first co-pending 
application referenced above, once a user has been given the 
administrative password for his computer, the user is there- 
after able to reconfigure his computer at will. The present 
invention recognizes that it would also be desirable and 
useful to limit the ability of a user to reconfigure his 
computer once the user is informed of the administrative 
password for the computer. 
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SUMMARY OF THE INVENTION 

The present invention satisfies the need to permit a user to 
have limited access to an administrative password that 
controls reconfiguration of a computer by providing a 
5 method and system for enforcing password protection of a 
computer system that limits reuse of an administrative 
password. 

In accordance with the present invention, features of a 
data processing system, such as its configuration, are pro- 

io tected utilizing a machine-specific limited-life password. 
The data processing system includes execution resources for 
executing a watchdog program, a limited-life value 
generator, and non-volatile storage that stores a machine - 
specific value at least partially derived from relatively 

15 unique information associated with the data processing 
system. In response to each attempted access to the protected 
features of the data processing system, the watchdog pro- 
gram generates at least one machine-specific limited -life 
password from the machine-specific value and a limited -life 
value generated by the limited-life value generator. The 

20 watchdog program allows access to the protected features in 
response to entry of a valid machine-specific limited -life 
password and otherwise denies access. In accordance with 
the present invention, the limited -life value can represent a 
timestamp that limits the duration that the machine-specific 

25 limited-life value is valid or a nonce that limits the number 
of times that the machine-specific limited-life value can be 
used. 

All objects, features, and advantages of the present inven- 
tion will become apparent in the following detailed written 
30 description. 

BRIEF DESCRIPTION OF THE DRAWINGS 

The novel features believed characteristic of the invention 
are set forth in the appended claims. The invention itself 
35 however, as well as a preferred mode of use, further objects 
and advantages thereof, will best be understood by reference 
to the following detailed description of an illustrative 
embodiment when read in conjunction with the accompa- 
nying drawings, wherein: 
40 FIG. 1 depicts an enterprise computing environment with 
which the present invention may advantageously be utilized; 

FIG. 2 illustrates a block diagram of an exemplary 
password-protected computer system in accordance with the 
present invention; 

FIG. 3 is a high level logical flowchart of an exemplary 
method of initializing a password-protected computer sys- 
tem in accordance with the present invention; 
FIG. 4Ais a high level logical flowchart of an exemplary 
50 method of producing a time-limited administrative password 
for a computer system in accordance with the present 
invention; 

FIG. 4B is a high level logical flowchart of an exemplary 
method of protecting a computer system with a time-limited 
55 administrative password in accordance with the present 
invention; 

FIG. 5A is a high level logical flowchart of an exemplary 
method of producing a limited-use administrative password 
for a computer system in accordance with the present 
50 invention; 

FIG. 5B is a high level logical flowchart of an exemplary 
method of protecting a computer system with a limited -use 
administrative password in accordance with the present 
invention; and 

65 FIG. 6 is a high level logical flowchart of an exemplary 
method for converting a hash into an administrative pass- 
word in accordance with the present invention. 
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DETAILED DESCRIPTION OF ILLUSTRATIVE and application software stored in system memory 46. In a 

EMBODIMENT preferred embodiment of the present invention, such appli- 

„ rt , f 4 iU c , . , ... cation software includes configuration watchdog program 

With reference now to the figures and in particular with Att ... . ... • ♦ . . 

reference to FIG. 1. there is illustrated ao enterprise com- , 45 ' wiu % M ? e < f nbed ' u P*?**?' pr ° te f 1 

puting eovironment 8 with which the present invention may 5 ^ " a 8 ainst «™*°nzed alterahoos to its configura- 

advantageously be utilized. As illustrated, enterprise com- ^ ^T^T t "ITr ™ P ' ^ 

puting Environment 8, which may represent networked l ° Com P oneD1 h*™*™" 

computers at a corporate campus (or campuses), contains a * ' 03 

plurality of networks, including local area networks (LANs) PC1 local bus 50 supports the attachment of a number of 

10 and 12. LANs 10 and 12 are coupled together through a 10 devices, including adapters and bridges. Among these 

gateway server 14 and each contain a number of individual devices is network adapter 66, which interfaces computer 

computer systems 16 and 18, respectively. In the illustrative svstem 16 t0 LAN 10 » and graphics adapter 68, which 

embodiment, each of the computer systems 16 and 18 within interlaces computer system 16 to display 69. Commumca- 

LANs 10 and 12 is depicted as a desktop or laptop computer; lion oa PCI local bus 50 * governed by local PCI controller 

however, those skilled in the art will appreciate that LANs 15 52 > whicb * 10 *rn coupled to non-volatile random access 

10 and 32 may alternatively or additionally include a phi- memory (NVRAM) 56 via memory bus 54. Local PCI 

rality of workstations coupled to a host processor. As is controller 52 can be coupled to additional buses and devices 

common in data processing networks, each computer system v * a a second host bridge 60. 

16 and 18 may have an associated storage device 20 and a Computer system 16 further includes Industry Standard 
printer 22. 20 Architecture (ISA) bus 62 , which is coupled to PCI local bus 
Enterprise computing environment 8 further includes a 50 bv JSA bridge 64. Coupled to ISA bus 62 is an input/ 
help desk computer 24 coupled to LAN 10 by a communi- out P ut (I/O) controller 70, which controls communication 
cation link 26. Help desk computer 24, which may be between computer system 16 and attached peripheral 
manned by one or more help desk operators, executes devices such as a keyboard, mouse, and disk drive (e.g., 
network administration software that assists the help desk storage 14). In addition, I/O controller 70 supports external 
operators to service the computing needs of the users of communication by computer system 16 via serial and par- 
computers 16 and 18. As will be understood by those skilled a ^ e ' ports. 

in the art, enterprise computing environment 8 additionally With reference now to FIG. 3, there is illustrated a high 

includes unillustrated gateways, routers, bridges, and van- 3Q level logical flowchart of a method of initializing a 

ous other network hardware utilized to interconnect the password-protected computer system, such as computer 

various segments of enterprise computing environment 8. system 16 of FIG. 2, in accordance with the present inven- 

As will be appreciated from the foregoing, each of com- tion. The initialization process illustrated in FIG. 2 is typi- 

puters 16 and 18 typically is assigned to one or more users cally performed by enterprise administration prior to releas- 

viewed as "owners" of those computers. Computer users 35 ing computer system 16 to a user. 

within the corporation may alternatively or additionally be As shown, the process begins at block 80 and thereafter 

assigned intermittently-networked or stand-alone data pro- proceeds to block 82, which depicts an enterprise adminis- 

cessing systems. In order to restrict access to these data trator obtaining the serial number or other readily available 

processing systems (i.e., computers 16 and 18 of enterprise information that relatively uniquely identifies the computer 

computing environment 8 as well as any additional com- 40 system 16 to be password protected. Next, at block 84 a 

monly administered data processing systems) to only autho- machine-specific hash is derived from the serial number or 

rized users, each data processing system is preferably pass- other identifying information of computer system 16 and a 

word protected with a power-on password (POP). In control password (or pass phrase) that is unknown to the user 

addition, each data processing system is preferably protected and maintained in secret by enterprise administration. In a 

by a relatively unique administrative password or pass 45 preferred embodiment, the machine-specific hash is derived 

phrase required to alter the configuration of the computer set by concatenating the serial number and the control password 

by enterprise administration. and then hashing the resulting string with a non-reversible 

Referring now to FIG. 2, there is depicted a block diagram hashing algorithm such as SHA-1, MDS, MDC2 or 

of an illustrative embodiment of a computer system 16 RIPEMD-160. As well-known to those skilled in the art, 

within enterprise computing environment 8, having a con- 50 each of these hashing algorithms accepts as an input an 

figuration protected by a machine-specific limited -life arbitrary-length input string and yields as an output a 

administrative password in accordance with the present random-appearing fixed-length output string that, for a given 

invention. The illustrative embodiment depicted in FIG. 2 hashing algorithm, is the same for identical inputs. It is also 

may be a desktop computer system such as an Aptiva®, a important to note that although the input string for the 

laptop computer such a ThinkPad™, or a workstation com- 55 hashing algorithm can be formed by concatenating the 

puter such as the RS/6000®, which are all manufactured by identifying information and the control password as 

International Business Machines (IBM) Corporation of described above, any other consistent combination of the 

Armonk, New York; however, as will become apparent from identifying information and control password to form a hash 

the following description, the present invention is applicable input string would be acceptable, including exclusive OR 

to the password protection of any data processing system, so reverse concatenation, etc. In addition, additional compo- 

As shown in FIG. 2, computer system 16 includes at least nents can be combined to form the input string, as long as 
one system processor 42, which is coupled to a Read-Only such components are consistently utilized. 
Memory (ROM) 40, a secure non-volatile memory 43, and As shown at block 86, the network administrator then 
a system memory 46 by a processor bus 44. System pro- stores the machine-specific hash in a secure non-volatile 
cessor 42 is a general -purpose processor that executes boot 65 storage area of computer system 16 that is not accessible to 
code 41 stored within ROM 40 at power-on and thereafter the user by ordinary means. The security of the machine- 
processes data under the control of an operating system 47 specific hash maybe protected, for example, by an initial- 



04/02/2004, EAST Version: 1.4.1 



US 6,601,175 Bl 

5 6 

ization password or by storing the machine-specific hash in algorithm employed are implementation dependent. The 

a write-only location accessible only to computer system 16 time-limited bash computed at block 126 is then converted 

such as secure non-volatile storage 43, as is well-known in into a time -limited administrative password of reasonable 

cryptography. The initialization process then terminates at length that can be input from the computer keyboard. One 

block 90. 5 example of a method that can be utilized to convert the 

Once a computer system has been intialized by enterprise time-limited hash into a time- limited administrative pass- 
administration in the manner shown in FIG. 3, the user must word is described below with reference to FIG. 6. Following 
have access to the machine-specific administrative password block 128, the process shown in FIG. 4A terminates at block 
of the computer system to unlock its sensitive configuration and me time-limited administrative password is sup- 
processes and modify its configuration. In order to prevent 10 P ucd to ^ c ^r or t0 tae user's computer system via a 
the user from being able to reconfigure the computer system network or a portable storage medium, 
at will after learning the administrative password, the useful With reference now to FIG. 4B, there is illustrated a high 
lifetime of the administrative password is preferably limited level logical flowchart of an exemplary method by which a 
in one of two ways — either by restricting the validity of the computer system enforces password-protection of its con- 
administrative password to a predetermined time period or a 15 figuration using a time-limited administrative password in 
predetermined number of uses (or sessions). Implementa- accordance with the present invention. The process, which is 
tions of these two schemes are described below with refer- preferably implemented as a configuration "watchdog" pro- 
ence to FIGS. 4A and 4B and FIGS. 5 A and 5B, respectively, gram executed by the computer system, begins at block 140 

Referring first to FIG. 4A, there is depicted a high level and thereafter proceeds to block 142, which illustrates the 
logical flowchart of an exemplary method by which enter- 20 computer system presenting a prompt for an administrative 
prise administration can derive a time-limited administrative password and capturing the inputs provided in response to 
password for a computer system in accordance with the ,ne prompt. The prompt may be presented, for example, in 
present invention. This method assumes that both enterprise * dialog box format in response to the user requesting a 
administration (e.g., help desk computer 24) and the com- modification to the configuration of the computer system. Of 
puter system in question utilize continuously running system 2 5 cou^ such a prompt may not be necessary if the time- 
clocks that are fairly closely synchronized at all times within limited administrative password is supplied directly to the 
a tolerance AT In more secure environments, it is preferable computer system via a network or a portable storage 
if the clock within the computer system cannot be reset by medium. 

the user; in less secure environments, the computer system's Next, at block 144 the computer system computes, from 
standard integrated clock can be utilized. The increment in 30 its prestored machine-specific hash, the time-limited hash 
which the clocks keep time is implementation dependent, for all time increments within AT of the current timestamp 
but should be consistent in order to avoid having to convert as measured by its clock. The computation of the time- 
between differing time scales. Advantageously, the method limited hashes is performed as described above with respect 
shown in FIG. 4 A does not require that enterprise adminis- to block 126 of FIG. 4 A. The time-limited hashes computed 
tration maintain a list of administrative passwords for each 35 at block 144 are then converted into time-limited adminis- 
computer system under its control, but instead permits a trative passwords at block 146 utilizing, for example, the 
limited-life administrative password for a computer system method shown in FIG. 6. Thereafter, the input entered by the 
to be derived on an as-needed basis (i.e., when a configu- user in response to the prompt displayed at block 142 is 
ration update is needed). Depending upon how support is authenticated by comparison to the time-limited administra- 
provided in the enterprise, the method may be performed by 40 tive passwords produced at block 146. If the input matches 
humans at a remote help desk computer 24, by an on-site one of the time-limited administrative passwords, access to 
service engineer equipped with a portable computer or the configuration of the computer system for purposes of 
personal digital assistant (PDA), or over a computer network modifying the configuration is granted, as shown at block 
by automation. 152. Otherwise, access to the configuration of the computer 

As illustrated, the process begins at block 120 and there- 45 system is denied, as depicted at block 150. 

after proceeds to block 122, which depicts enterprise admin- The limited-time password protection scheme depicted in 

is tration obtaining the serial number or other relatively FIGS. 4A and 4B permits a tolerance AT between the 

unique identifying information of the computer system. This timestamps generated by the target computer system's clock 

step is identical to block 82 of FIG. 3, and may entail the and the clock utilized by enterprise administration for sev- 

user providing the serial number over the phone or network 50 eral reasons. First, permitting this tolerance obviates the 

or an on-site service engineer electronically or visually need to closely synchronize the two clocks. Second, the user 

reading the serial number from the computer system. Next, or service engineer is permitted a reasonable amount of time 

at block 124, the machine-specific hash of the computer to enter the limited-time administrative password before it 

system is computed (e.g., by help desk computer 24) from becomes invalid. Third, the limited -time administrative 

the serial number (or other identifying information) and the 55 password can be designed to be valid for long enough for the 

known control password, as discussed above with respect to configuration modification to be completed, which may 

block 84 of FIG. 3. The process then proceeds to block 126, entail rebooting the computer system and reentering the 

which illustrates computing a time-limited hash from the administrative password. It should also be noted that the 

machine-specific hash and the current timestamp of the tolerance following the enterprise administration timestamp 

computer system utilized by enterprise administration, 60 can advantageously be implemented to be larger than the 

which preferably generates timestamps including both a date tolerance preceding the enterprise administration timestamp 

(e.g., mm/dd/yyyy) and time. The time-limited hash can be because the tolerance window preceding the timestamp need 

obtained, for example, by concatenating the timestamp and only be large enough to accommodate the mis- 

the machine-specific hash to form an input string and then synchronization of the clocks. 

hashing the input string with SHA-1 or some other non- 65 Referring now to FIG. 5 A, there is depicted is a high level 

reversible hashing algorithm. As before, the manner in logical flowchart of an exemplary method by which enter- 

which the hash input string is formed and the hashing prise administration can produce a limited-use administra- 
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live password for a computer system in accordance with the the method shown in FIG. 6. Thereafter, the input entered by 
present invention. This method does not utilize clocks as in the user in response to the prompt displayed at block 192 is 
the above-described method, but instead assumes that the authenticated by comparison to the limited-use administra- 
target computer system is capable of generating a nonce, live password produced at block 196. If the input matches 
which is defined herein as a value having a negligible 5 the limited-use administrative password, access to the con- 
probability of being repeated over the useful lifetime of the figuration of the computer system for purposes of modifying 
computer system. The nonce can be generated by software the configuration is granted, as shown at block 202. 
or hardware utilizing, for example, a monotonically- Otherwise, access to the configuration of the computer 
increasing counter, a gray-scale counter, or a pseudo-random system is denied, as depicted at block 200. 
number generator. The method shown in FIG. 5A again has 10 The number of uses for which a limited-use adminislra- 
the advantage of not requiring enterprise administration to live password is valid according to the method illustrated in 
maintain a list of administrative passwords for each com- FIGS. 5A and 5B depends upon the conditions under which 
puter system under its control, but instead permitting a the target computer is designed to generate a new nonce. For 
limited-life administrative password to be derived for par- example, the computer system could automatically update 
ticular computer systems on an as-needed basis. As above, ^5 the nonce each time a valid administrative password is 
the method may be performed by humans and computers at entered or alternatively each time the computer system is 
a remote help desk computer 24, by an on-site service powered on (i.e., a hard boot). Updating the nonce in 
engineer equipped with a portable computer or personal response to hard boots may be preferable in that doing so 
digital assistant (PDA), or over a computer network by permits the configuration of the computer system to be 
automation, depending upon how support is provided in the 2 o unlocked multiple times during a single session with a single 
enterprise. limited-use password, meaning that a new limited-use 

As depicted, the process begins at block 170 and there- administrative password need not be generated if the com- 
after proceeds to block 172, which depicts enterprise admin- P^er system is rebooted during the reconfiguration process, 
istration obtaining the serial number or other relatively A key aspect to the exemplary configuration password- 
unique identifying information of the target computer 25 protection schemes shown in FIGS. 4A and 4B and FIGS, 
system, as discussed above with respect to block 122 of FIG. 5A and 5B is the authentication of an input received by the 
4A In addition, a nonce generated by the target computer computer system by reference to a limited-life value gener- 
system is supplied to enterprise administration. Next, at ated within the computer system. Although the exemplary 
block 174, the machine-specific hash of the computer sys- methods shown in FIGS. 4B and SB accomplish this authen- 
tem is computed from the serial number (or other identifying 30 tication by comparing an input with one or more limited -life 
information) and the known control password, as discussed administrative passwords generated by the computer system, 
above with respect to block 84 of FIG. 3. The process then alternative methods of input authentication are possible in 
proceeds to block 176, which illustrates computing a accordance with the present invention. For example, the 
limited-use hash from 11 the machine-specific hash and the hash generated by enterprise administration can be input into 
nonce. The limited-use hash can be obtained, for example, 35 tne tar g et computer system and directly compared to the one 
by concatenating the nonce and the machine-specific hash to or more hashes generated by the target computer system, 
form an input string and then hashing the input string with Alternatively, a putative limited-life administrative pass- 
SHA-1 or some other non-reversible hashing algorithm. As word entered into the target computer system can, depending 
before, the manner in which the hash input string is obtained upon the hash-to-password conversion algorithm, be con- 
and the hashing algorithm that is employed are implemen- 40 verted back into a hash and compared to the limited -life 
tat ion dependent. The limited -use hash computed at block hash(es) generated by the target computer system. 
176 is then converted into a limited-use administrative Referring now to FIG. 6, there is depicted a high level 
password of reasonable length that can be input from the logical flowchart of an exemplary method of converting a 
computer keyboard according to the method shown in FIG. hash into a password in accordance with the present inven- 
6. Following block 178, the process shown in FIG. 5 A 4s tion. As illustrated, the process begins at block 100 and 
terminates at block 180, and the limited -use administrative thereafter proceeds to block 102, which depicts selecting or 
password is supplied to the user. constructing a conversion table such as: 0, 1, 2, 3, 4, 5, 6, 7, 

With reference now to FIG. 5B, there is illustrated a high 8, 9, A, B, C. D, E, F, G, H, I, J, K, L, M, N, 0, P, Q, R, S, 

level logical flowchart of an exemplary method by which a T, U, V, W, X, Y, Z. In this exemplary conversion table, each 

computer system enforces password-protection of its con- 50 alphanumeric character represents one byte of data, yielding 

figuration using a limited-use administrative password in a total conversion table size (CT_SIZE) of 36 bytes; other 

accordance with the present invention. Like the process conversion tables having differing sizes and contents may 

shown in FIG. 4B, the process depicted in FIG. SB would alternatively be used. As depicted at block 104, an accumu- 

typically be implemented as a configuration "watchdog" lator (accum) and a counter (i) are also initialized to zero, 

program triggered in response to a user attempting to modify 55 The process then proceeds from block 104 to block 106, 

the configuration of the computer system. As shown, the which illustrates setting the value of the accumulator to the 

process begins at block 190 and thereafter proceeds to block sum of the previous accumulator value and the byte of the 

192, which illustrates the computer system presenting a machine-specific hash indexed by the counter. Next, at block 

prompt for an administrative password and capturing the 108, a conversion table index (j) is determined by computing 

inputs provided in response to the prompt. Next, at block 60 the remainder obtained when the accumulator is divided by 

194, the computer system computes a limited-use hash from the CT_SIZE. The byte value within the conversion table 

its prestored machine-specific hash and the same nonce identified by the conversion table index is then assigned to 

supplied at block 172 of FIG. 5A. The computation of the the password byte indexed by counter i, as illustrated at 

limited-use hash is performed as described above with block 110. The value of counter i is then incremented and 

respect to block 176 of FIG. 5 A. The limited-use hash 65 compared to a fixed password size (PW_SIZE) at blocks 

computed at block 194 is then converted into a limited-use 112 and 114. If the predetermined password size has not yet 

administrative password at block 196 utilizing, for example, been obtained, the process repeats blocks 106-114. If, 
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however, an administrative password of the predetermined identifying information) and are domain -specific by virtue 

length has been obtained, the conversion process depicted in of their derivation from an arbitrarily-selected control pass- 

FIG. 6 terminates at block 116. word. Fourth, the present invention does not require the use 

To further illustrate the principles of the present invention, of 40 export-controlled encryption algorithm, 
an exemplary implementation of the limited-use password 5 While the invention has been particularly shown and 
protection scheme outlined in FIGS. 5A and 5B will now be described with reference to an .illustrative embodiment, it 
given. It will be assumed that the control password is ^ Xbc «nde»tood by those skilled in the art that various 
selected to be h<0123456789ABCDEF and that the serial * »nd ^ lad mav be m / de ^rein without 
, , ,^ U U1 ^ JU '° 7 ^ ULI . Zr* 7^ ai?tk7» departing from the spirit and scope of the invention. For 
number of the targe computer system is 78-AAKP7, c £ mpk *a) m & the present invention has been described 
I!I™^^«Sl C . d n in hexadecin l al u ^Mion as 10 with respect to In illustrative embodiment in which pass- 
h'37382D41414B5037 . Pre-processing of the hexadecimal WOfd pr £ ection fc provided for co m p Ul e r systems in an 
representation of the serial number preferably capitalizes all enterprise, it should be understood that the present invention 
lower case letters (if any) and removes non-alphanumeric ^ equally applicable to other data processing systems such 
characters. Thus, the dash is omitted from the serial number, ^ PDAs, set-top boxes, network routers and other network 
leaving the hexadecimal string h* 373841 4 14B5037'. The equipment, and remotely-located encryption devices. In 
control password and serial number are then concatenated to addition, although aspects of the present invention have 
form the hash input string h* 01 2 345 6789 been described with respect to one or more computer 
ABCDEF373841414B5037\ which is 15 bytes is length. systems executing software that directs the functions of the 
This input string can then be hashed utilizing the SHA-1 present invention, it should be understood that present 
algorithm to obtain the machine-specific hash invention may alternatively be implemented as a computer 
h'2BEC36EBBEEAA2E0EDE951D76CFB188A584A41BD'?0 program product for use with a computer system. Programs 
which is stored within the computer system when initialized defining the functions of the present invention can be 
by enterprise administration. delivered to a computer system via a variety of signal- 
Thereafter, when the user attempts to update the configu- bcarin g mcdia * whi <*> ^ ndud '' UnnlXton, non - 
ration of the computer system, the computer system will w n^le storage media (e.g., CD-ROM) writable storage 
provide the user with a nonce such as 25 media ( e >. a fio PP.y dlskeUe or hard disk J*™), and 
h < E349AF9C55B2CCA7', which is 8 bytes in length. This communication media, such as computer and telephone 
nonce and the serial number of the computer system are then networks. It should be understood, therefore, that such 
supplied to enterprise administration. As described above, signal-bearing media, when carrying or encoding computer 
enterprise administration computes the machine-specific readab . le instructions that direct the = functions of the present 
hash of the computer system from the serial number and the 30 invention, represent alternative embodiments of the present 
control password. The machine-specific hash and the nonce myention. 
can then be concatenated to form the following 28-byte hash What is claimed is: 

input string for the SHA-1 algorithm: 1. A method of protecting features by a data processing 

h* 2BEC36EBBEEAA2E0EDE95 1D76CFB188 svstcm utilizing a machine-specific limited-life password, 

A584A41BDE349AF9C55B2CCA7'. Hashing this input said method comprising: 

string with the SHA-1 algorithm yields the 20-byte limited- 35 within non-volatile storage of a data processing system, 

use hash h'A4004BD5E702258E persistently storing a persistent machine -specific hash 

EBD7D00751CB4AFE6F2947F4'. When converted value at least partially derived by hashing a combina- 

according to the method of FIG. 6, this limited-use hash tion of fixed information associated with said data 

yields the limited-use administrative password processing system and a control password unavailable 

"KKNKZ12". When this administrative password is entered 40 to a user of said data processing system; 

into the computer system, the computer system authenticates j n response to each attempted access to the protected 

the administrative password by reference to a similarly features, said data processing system generating at least 

computed administrative password and then grants the user one mac hine-specific limited-life password from said 

access to the protected configuration features of the com- persistent machine-specific hash value and a limited- 

puter system. 45 ^ va j ue g eneratec j within said data processing system; 

As has been described, the present invention provides an m ^ 
improved method and system for implementing password processing system allowing access to said pro- 
protection for a data processing resource such as a computer &< " u 7™ s 7 arem auu f h 
system. According to the present invention, a limited-life tected features in response to entry of said machine- 
administrative password having either a is limited validity 50 s P ecific ^ited-life password and denying access otb- 
duration or a limited valid number of uses can be generated erwise. 

on an as-needed basis by the computer support organization 2 - Tbe method of claim 1, and further comprising deriving 

to unlock the configuration processes of a computer system. said machine-specific hash value from the control password 

Even if a user is supplied the administrative password to aad s? ld fixed information utilizing a non-reversible hashing 

perform a configuration update, the computer support orga- algorithm. 

nization retains ultimate control over modifications to the 5 3- The method of claim 1, wherein said fixed information 
configuration of the computer system since the administra- comprises a serial number of said data processing system, 
live password has a limited life and therefore cannot be 4 - The method of claim 1, and further comprising main- 
re-used by the user at will taining a continuously running clock within said data pro- 
The present invention has a number of additional advan- cessing system, wherein said limited-life value is a times- 
tageous properties. First, the user cannot derive the control 60 tam PJ? f ^ f lc f k : , . A L . 
password from the administrative password. Second, 5 The method of claim 4 wherein generatmg at least one 
because the machine-specific hash is stored within each mach me -specific hmited-life password comprises: 
computer system such that it cannot be accessed by a user, in response to a particular attempted access, generating a 
users cannot independently compute valid administrative plurality of machine-specific limited-life passwords 
passwords for their machines. Third, the administrative ss that are each derived from one of a plurality of times- 
passwords are machine-specific by virtue of their derivation tamps within a selected interval of the particular 
from computer serial numbers (or other relatively unique attempted access. 
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6. The method of claim 1, and further comprising gener- 20. The data processing system of claim U, wherein said 
ating a nonce within said data processing system, wherein watchdog program generates said at least one machine - 
said nonce is said limited-life value. specific limited-life password by hashing an input string 

7. The method of claim 6, wherein generating a nonce formed from said machine-specific hash value and said 
comprises generating a nonce in response to each attempted 5 limited-life value to obtain a limited-life hash and then 
access to protected features of said data processing system. converting said limited-Life hash into said machine-specific 

8. The method of claim 6, wherein generating a nonce limited-life password 

comprises generating a nonce in response to each cold boot 21 A program pro duct, comprising: 

of said data processing system. , . ,. , 

9. The method of claim 1, wherein allowing access to said a data Processing system ^lc medium; and 
protected features comprises allowing access to a configu- 10 password protection software embodied within said data 
ration of said data processing system such that said con- processing system usable medium, wherein said pass- 
figuration can be modified. word protection software includes: 

10. The method of claim 1, wherein generating at least initialization software that derives a persistent 
one machine-specific limited -life password comprises: machine-specific hash value by hashing a combina- 

h ashing an input string formed from said machine -specific IS tion of a control password unavailable to a user of the 

hash value and said limited-life value to obtain a data processing system and fixed information asso- 

limited-life bash; and dated with said data processing system; and 

converting said limited-life hash into said machine- a watchdog program that, in response to each attempted 

specific limited-life password. access to protected features, generates at least one 

11. A data processing system, comprising: 20 machine-specific limited-life password from the per- 
non-volatile storage that persistently stores a persistent sistent machine -specific hash value and a limited-life 

machine-specific hash value at least partially derived value generated by a limited-life value generator 
by hashing a combination of fixed information associ- within the data processing system, wherein said 
a ted with said data processing system and a control watchdog program allows access to said protected 
password unavailable to a user of the data processing 25 features only in response to entry of said machine- 
system; specific limited-life password. 

a limited-life value generator, 22 - ^ program product of claim 21, wherein said 

. initialization software derives said machine-specific hash 

execution resources; and . .... -t.ii.i_- i A. 

. . . . . value utilizing a non-reversible hashing algorithm. 

a watchdog program executable by said execution . Q 23. The program product of claim 21, wherein said fixed 
resources that, in response to each attempted access to m f ormal io n comprises a serial number of the data process- 
protected features, generates at least one machine- m g svs tem. 

specific limited-life password from said persistent 24. The program product of claim 21, wherein said 

machine-specific hash value and a limited-life value limited-life value is a timestamp of a clock within the data 

generated by said limited-life value generator and that ^ processing system. 

allows access to said protected features only in 25. The program product of claim 24, wherein said 

response to entry of said machine -specific limited-life watchdog program, responsive to a particular attempted 

password. access, generates a plurality of machine -specific limited -life 

12. The data processing system of claim 11, wherein said passwords that are each derived from one of a plurality of 
machine-specific bash value is derived from said control timestamps within a selected interval of said particular 
password and said fixed information utilizing a non- 40 attempted access. 

reversible hashing algorithm. 26. The program product of claim 21, wherein said 

13. The data processing system of claim 11, wherein said limited-life value is a nonce. 

fixed information comprises a serial number of said data 27. The program product of claim 21, wherein said 

processing system. protected features include a configuration of the data pro- 

14. The data processing system of claim 11, said limited- 4 $ cessing system. 

life value generator comprising a continuously running 28. The program product of claim 21, wherein said 
clock, wherein said limited-life value is a timestamp of said watchdog program generates said at least one machine- 
clock, specific limited-life password by hashing an input string 

15. The data processing system of claim 14, wherein said formed from said machine-specific hash value and said 
watchdog program, responsive to a particular attempted 50 limited-life value to obtain a limited-life hash and then 
access, generates a plurality of machine -specific limited-Life converting said limited-life hash into said machine-specific 
passwords that are each derived from one of a plurality of limited-life password. 

timestamps within a selected interval of the particular 29. The method of claim 1, and further comprising 

attempted access, entering an attempted password into said data processing 

16. The data processing system of claim 11, wherein said 55 system in unencrypted form to gain access to said protected 
limited-life value generator comprises a nonce generator and features. 

said limited-life value is a nonce. 30. The data processing system of claim 11, wherein said 

17. The data processing system of claim 16, wherein said watchdog program allows access to said protected features 
nonce generator generates a nonce in response to each only in response to a match between an unencrypted 
attempted access to protected features of said data process- attempted password and said machine-specific limited -life 
ing system. 60 password. 

18. The data processing system of claim 16, wherein said 31. The program product of claim 21, wherein said 
nonce generator generates a nonce in response to each cold watchdog program allows access to said protected features 
boot of said data processing system. only in response to a match between an unencrypted 

19. The data processing system of claim 11, and further attempted password and said machine-specific limited-life 
comprising said protected features, wherein said protected 65 password. 

features include a configuration of said data processing 

system. * * * * * 
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